How to search your hacking tracks on your computer (Windows and Linux)

By Prempal Singh 0 Comment July 3, 2017

Prevention and Intrusion Detection – a key element in ensuring the safety of the process computers and computer networks.

In the case of breaking the computer or network device you need to take immediate action to:

• preventing the further spread of threats (insulation compromised device, clean, complete reconstitution system of the trusted backup, etc.);

• identifying ways of penetration/infection and eliminating them (resident study, installation of security updates, avoiding the use of vulnerable software and network equipment, the use of systems to prevent and detect intrusions, install antivirus software, change the information security policy of the organization, etc.);

• assessing and managing the consequences of hacking (definitely came as a result of breaking the information into the hands of criminals, the change of accounting data, CDN recovery, people are warned to change passwords, etc.).

Warning signs that your computer has been compromised (Indicators of Compromise), hacked, may be:

• The emergence of computer malicious files (viruses, backdoors, trojans, keyloggers, cryptors, miners, etc.), as well as hacking tools (for network exploration, exploitation of vulnerabilities, collection of accounting data, etc.);

• The emergence of new unauthorized executables and other files even if they are not detected by antivirus software as malicious;

• unauthorized network activity (connection to remote hosts, the discovery of listening ports by unknown programs, or programs that do not need to do that, and so on.);

• abnormal activity on the disk devices and improve system resource consumption (due to the search for the disks, file encryption, use your computer resources for the attacker to perform calculations or storage and dissemination of data, etc.)

• Other signs as visible “by eye” and requiring the use of specialized software to detect.

Instructions for use Loki

In this article, you will learn about Loki – simple scanner for intrusion detection features. In open source Loki, the program is free, is cross-platform, includes the possibility of a number of free tools and open database of malicious files data. Currently, the program is actively developed and is constantly updated with new signatures.

You can check your computer or server as on Linux, as well as on Windows.

Description Loki

Loki – this scanner to detect signs of cracking.

Detection of cracking is based on the four detection methods:

• File names (regular expression match the full path of the file);

• Checking Yara rules (search for compliance with Yara signatures on the content of files and memory processes);

• hash check (scanned file comparison with hashes (MD5, SHA1, SHA256) known malicious files);

• feedback check C2 (endpoints process compares with compound C2 IOC).

Additional checks:

• Check Regin file system (via -reginfs )

• Check process abnormalities

• Scan unwrapped SWF

• Test SAM Dump

• DoublePulsar Check – trying to identify DoublePulsar backdoor o on the port 445 / tcp and 3389 / tcp

Homepage: https://github.com/Neo23x0/Loki

Loki installation in Windows

Download the latest software release with the official page of releases. Unpack the archive. The program requires no installation, unpack the downloaded archive enough. To start, open a command prompt: Press Win + x and select “ Command Prompt (Admin) .” Start with program updates and signatures for that drag to the command prompt window that opens to file loki-upgrader.exe , press ENTER, and wait for the process to complete.

After that, drag and drop to the command line file loki.exe and press ENTER – to begin scanning the entire computer.

If you do not trust the executable file, then on the page, the program explains how to compile it yourself from the source code.

Installation in Kali Linux

 sudo pip2 install psutil netaddr pylzma colorama
 git clone https://github.com/Neo23x0/Loki
 cd Loki /
 python2 loki-upgrader.py
 python2 loki.py -h

YARA should be set, which by default is already available in Kali Linux.

YARA – a tool direction (but not limited) to help malware researchers to identify and classify malware specimens. With YARA you can create a description of the families of malware (or anything that you want to describe), based on a text or binary patterns. Each description (also called “rule”) consists of a set of rows and Boolean expressions that determine its logic.

Homepage: https://github.com/VirusTotal/yara/

Installation in Linux Mint, Ubuntu

 sudo apt-get install yara python-yara python-pip python-setuptools python-dev git
 sudo pip2 install --upgrade pip
 sudo pip2 install -U setuptools
 sudo pip2 install psutil netaddr pylzma colorama
 git clone https://github.com/Neo23x0/Loki
 cd Loki /
 python2 loki-upgrader.py
 python2 loki.py -h

Installing BlackArch

 sudo pacman -S yara python2-pip python2-yara
 sudo pip2 install psutil netaddr pylzma colorama
 git clone https://github.com/Neo23x0/Loki
 cd Loki /
 python2 loki-upgrader.py
 python2 loki.py -h

PS Loki – it is a simple program for signs of compromise. It will help to see clear signs of penetration and infection of the computer. It is also a good tool for learning and understanding of its operating system, processes occurring in it.